Description of problem: IdMInstallClientPackages: true should install openssl-perl package on pre-provisioned nodes. If no, deployment would fail with below error if this package is not pre-installed on pre-provisioned nodes with below error. Sep 2 07:09:45 controller-1 puppet-user[81894]: Warning: Could not get certificate: Execution of '/usr/bin/getcert request -I libvirt-vnc-client-cert -f /etc/pki/libvirt-vnc/client-cert.pem -c IPA -N CN=controller-1.internalapi.redhat.local -K libvirt-vnc/controller-1.internalapi.redhat.local -D controller-1.internalapi.redhat.local -C systemctl reload libvirtd -w -k /etc/pki/libvirt-vnc/client-key.pem -F /etc/pki/CA/certs/vnc.crt' returned 1: Path "/etc/pki/CA/certs": No such file or directory. Sep 2 07:09:45 controller-1 puppet-user[81894]: Error: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Libvirt_vnc[libvirt-vnc-client-cert]/Certmonger_certificate[libvirt-vnc-client-cert]: Could not evaluate: The certificate 'libvirt-vnc-client-cert' wasn't found in the list. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Some thoughts on this: This can't be something that is solved in ansible-tripleo-ipa. The ansible-tripleo-ipa roles runs on the undercloud, not the overcloud nodes. On the overcloud nodes, the registration is done using -- https://github.com/openstack/tripleo-heat-templates/blob/master/deployment/ipa/ipaservices-baremetal-ansible.yaml#L146-L147 which uses the upstream ipaclient module. The parameter IdMInstallClientPackages is used to set a parameter for this upstream module, to determine whether or not to add the IPA client packages. These packages do not include openssl-perl because its not needed by IPA client, but rather by THT later when getting certs from certmonger. For OVB, this isn't a problem because openssl-perl is in the overcloud image. What we're looking for is a way to make sure its on the preprovisioned nodes (other than documentation) maybe as a dependency of an rpm that has to be on the overcloud nodes? tripleo-common maybe?
jslagle -- any idea of how we might do this?
(In reply to Ade Lee from comment #2) > jslagle -- any idea of how we might do this? you can just add another ansible task in deploy_steps_tasks in deployment/ipa/ipaservices-baremetal-ansible.yaml to install the package.
Upstream reviews merged into stable/train. Moving this RHBZ to POST.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Red Hat OpenStack Platform 16.1.6 bug fix and enhancement advisory), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:2097